Rublon

Secure Remote Access

By

Last updated on March 26, 2024

You might have heard of Time-Based One-Time Passwords (TOTP) in the context of Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

But do you know what TOTP is and how it works? This article is a quick rundown of this authentication method.

TOTP Meaning

A Time-Based One-Time Password or TOTP is a passcode valid for 30 to 90 seconds that has been generated using the value of the Shared Secret and system time.

Most often, passcodes are 6-digit codes that change every 30 seconds. However, some TOTP implementations use 4-digit codes and expire after up to 90 seconds.

The TOTP algorithm follows an open standard described in RFC 6238.

What Is the Shared Secret?

The Shared Secret in TOTP authentication is a secret key shared between the client and the server.

Visually, the Shared Secret is a string in Base32 representation that looks something like this:

KRUGS4ZANFZSAYJAONUGC4TFMQQHGZLDOJSXIIDFPBQW24DMMU======

Even if, in this form, the Shared Secret is not human-readable, computers can and do make sense out of it.

The Shared Secret is transferred only once, and then both the client and the server keep it safely stored on their ends.

A malicious actor who manages to get to know the value of a Shared Secret can generate their own valid one-time passcodes. Because of this, each TOTP implementation should take extra care to store the Shared Secret safely.

What Is the System Time?

Every computer and mobile phone has a built-in clock that measures the so-called Unix time.

Unix time counts the number of seconds that have passed since 00:00:00 UTC on 1 January 1970.

Visually, Unix time is just a string of digits like this:

1643788666

But since most electronic devices with Unix time clocks are fairly synchronized, this short value is perfect to use for one-time password generation.

TOTP Authentication Implementations

Passwords are not secure. But you can combine a standard password with a Time-Based One-Time Password (TOTP). Such a combination is Two-Factor Authentication (2FA) and can be used to safely authenticate to your accounts, VPNs, and applications.

TOTP can be implemented in hardware and software tokens:

  • A TOTP Hardware Token is a physical fob that displays the current code on a small screen.
  • A TOTP Software Token is a mobile application (e.g., Rublon Authenticator) that displays a code on the phone’s screen

It does not matter if you use hard or soft tokens. The general idea of Two-Factor Authentication is to add an additional layer of security to your log-ins. Whether you have a hardware fob or a smartphone with an authenticator app, you carry your own one-time password generator that you can use during Two-Factor Authentication to gain access to your account.

How Does a Time-Based One-Time Password Work?

Every Time-Based One-Time Password (TOTP) is based on the current time and the value of the Shared Secret.

Image portraying a simplified version of time-based passcode generation

The TOTP Algorithm takes the value of the Shared Secret and Unix time to produce a one-time password.

Technically speaking, the Time-Based One-Time Password algorithm is a variation of the HMAC-Based One-Time Password (HOTP) algorithm where the counter is replaced with the current time value.

Without getting into too much technical jargon, the TOTP Algorithm is based on a hash function that takes an input of an arbitrary length and produces a short fixed-length string of characters. The strength of a hash function is that you cannot reproduce the original parameters that went into it if you only have the output.

It is important to note that TOTP is more secure than HOTP. In TOTP, a new password is generated every 30 seconds. In HOTP, a new password is generated only after it has been used. A one-time password in HOTP remains valid until it is used to authenticate, which gives a lot of time for hackers to conduct a successful attack.

Multi-Factor Authentication (MFA)

In any Multi-Factor Authentication (MFA) system that allows the use of a Time-Based One-Time Password, a user must first register their TOTP Token before they can use the device to authenticate into their account.

Some Software TOTP Tokens require the user to register a separate one-time password generator for every account. What this effectively means is that if you add two accounts to your authenticator app, the app will be generating two time-based passcodes every 30 seconds, one for each account. A single TOTP Software Token (authenticator app) can have an unlimited number of one-time password generators. Separate one-time password generators for separate accounts ensure the safety of all other accounts in the event of a security incident on one account.

To put 2FA into place, a secret shared between a TOTP Token and the security system has to be generated. This secret has to then be transferred from the security system to the token.

How Is the Shared Secret Transferred to the Token?

Usually, a security system generates a QR code and asks the user to scan this code using an authenticator app.

Such a QR code is a visual representation of a long string of characters. Roughly speaking, the Shared Secret is a part of this long string.

After the user scans the QR code using an authenticator app, the app translates the image into a string and extracts the secret. From then on, the authenticator app can use the Shared Secret to generate one-time passcodes.

The secret is transferred only once during the registration of the TOTP Token. This eliminates many security concerns about stealing the secret key. A malicious actor can still steal the secret, but for that, they must physically steal the token.

It Works Offline!

You do not need an active Internet connection on your smartphone or your physical fob to authenticate using the TOTP method.

A TOTP Token only needs to obtain the value of the Shared Secret once. Then, both the security system and the one-time password generator can generate consecutive values of the passcode without the need to communicate with each other. As a result, Time-Based One-Time Passwords (TOTP) work offline.

How Is TOTP Validated?

The following image depicts a simplified process of TOTP authentication:

Image portraying the TOTP Algorithm
  1. A TOTP Token generates an OTP using the TOTP Algorithm
  2. A user who wants to gain access to an application provides the token on the log-in page (or, for example, on the Rublon Prompt)
  3. A security system computes its own OTP using the same algorithm (same Shared Secret and current time)
  4. A security system compares the two OTP values
  5. If the values are equal, the security system grants access to the user. If not, access is denied

Enable Two-Factor Authentication Today

Rublon supports Time-Based One-Time Password (TOTP) as one of the authentication methods in Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA). Rublon supports time-based one-time passwords in the form of the Mobile Passcode authentication method, which allows you to protect your cloud and on-premises applications, VPNs, Windows, RDP, and Linux logins using state-of-the-art TOTP authentication compliant with each industry’s security regulations.

At the moment, Rublon does not support Hardware TOTP Tokens. Support for Hardware Tokens is on our roadmap and will be available in the future.

To enable Software TOTP Token authentication using Mobile Passcode and other authentication methods, start a 30-day Free Trial of Rublon.